Information Security Management
Information Security Policy, Organization and Targets
Rapid adoption of digital technologies at ASEH is driving an increased need to strengthen the protection of information assets. To that end, ASEH’s Information Security Policy is designed to safeguard the confidentiality and maintain the integrity and availability of all information assets in accordance with applicable laws and regulations that will result in increasing customer confidence, raising the company’s competitiveness and preventing operational disruptions. Information security risks are assessed in accordance with applicable laws and regulations, and operational objectives, and reported to senior management and the Board of Directors on a regular basis to help set guidelines, strategies and targets.
The Information Security Management Committee, was established by the CSC to develop strategic plans, establish benchmarks for information security maturity assessments and coordinate all internal and external technical resources and information. Richard H.P. Chang, Vice Chairman of ASEH has been appointed the chair of the committee. The CAO and Corporate Governance Officer of ASEH is appointed the Chief Information Security Officer (CISO) of the committee, and assumes responsibility for the establishment of the information security management framework that includes regular reviews with all ASEH subsidiaries and implementing incident response plans. The committee provides a status report to the Board of Directors in the last quarter of each fiscal year. In addition, the Executive Secretariat of the Corporate CSR unit is responsible for promoting and executing information security-related work, and each subsidiary appoints its information security team as members of the committee to be responsible for implementing information security operations as resolved by the Information Security Management Committee. We hold quarterly Information Security Management Committee meetings to report and discuss the progress of our information security work, and invite external experts to share information security trends and topics of concerns.
As our business continues to grow, the amount of information generated have also increased exponentially. Safeguarding the confidentiality, integrity and availability of information forms the cornerstone of ASEH’s information security management. Besides identifying internal and external information security risks and formulating countermeasures, we regularly implemented the NIST CSF maturity assessment in all facilities every year. Our cybersecurity policies are formulated to ensure the highest level of network and system protection and mitigation of impacts from any disruption. At the same time, education and training are actively conducted to enhance employee awareness on the importance of information security and prevent major data breaches. Building resilience through a robust information security management system is key to corporate sustainability and will greatly boost stakeholder satisfaction.
Information Security Assessment and Maturity*
Information Security Certification
To build corporate resilience and protect company assets, ASEH adopts internationally recognized information security standards that allow the company to improve network protection, establish effective management and control mechanisms for smart manufacturing and enhance our competitiveness.
International information security certification
| ISO 27001 | ASE Kaohsiung, ASE Chungli, ASE Shanghai (Material), SPIL, and USI adopted the ISO information security management standard to strengthen risk management associated with information security threats, including policies, procedures and staff training. |
| ISO 22301 | ASE Kaohsiung, SPIL and USI have received ISO22301 certification to strengthen internal capabilities to protect against, reduce the likelihood of, and ensure prompt recovery from disruptive incidents. |
| ISO 15408 | ASE Kaohsiung and Chungli have received ISO15408 EAL6 certification, the highest level of certification for security chip products. The certification provides assurance to customers that ASE has in place the highest security standard of information protection and information security control across its manufacturing facilities. |
| ISO 21434 | ASE Kaohsiung is the first semiconductor assembly and testing facility in the world to receive the ISO/SAE 21434 international automotive network security standard certification with 100% compliance certified by TUV NORD of Germany. |
| IEC 62443-2-1 | ASE Kaohsiung successfully completed the German TUV NORD’s professional evaluation and obtained the IEC 62443-2-1 certification, becoming the very first company in the Taiwan semiconductor industry to receive the certification. |
| GSMA | ASE Kaohsiung received the GSMA certification for meeting mobile communication security standards. The ASE Kaohsiung manufacturing site is now an accredited Universal Integrated Circuit Card (UICC) production (SAS-UP) supplier site. |
Cybersecurity Maturity
To further strengthen ASEH’s cybersecurity and bolster the defences at all ASEH sites, we began the phase of adopting the NIST Cybersecurity Framework (CSF) in 2019. The framework categorizes all cybersecurity capabilities, projects, processes, daily activities into 5 core functions - Identify, Protect, Detect, Respond, and Recover. Each factory site can undertake individualized cybersecurity enhancements based on their own maturity assessment results and recommendations for improvement. We constantly benchmark ourselves against the semiconductor industry to better understand our own cyber maturity level. We assess the risks that impact each subsidiary in different cybersecurity areas, countries, or operations and consolidate resources to provide better guidance and support. We continued the maturity level assessment in 2022 and focused on consolidating the cybersecurity management status, progress, strategy updates etc. from all subsidiaries based on the NIST CSF’s five core functions. Driven by digital transformation trends, ASEH is cognizant of the convergence between IT and OT. In particular, the breadth of horizontal implementation is extended from IT to OT, aiming to bring the maturity level of OT closer to that of IT. With that, we are adopting a strategic approach that will gradually enhance the cybersecurity defense capabilities of critical operational systems throughout the company.
Information Security Implementation and Safeguards
Cybersecurity risk identification and management
On an annual basis, ASEH commissions a third-party company to conduct regular cybersecurity audit and assessments such as external audit, vulnerability scanning, and penetration testing to ensure that our information systems and the network comply with safety standards. We strictly enforce cybersecurity policies and implement customer privacy protection measures to avoid the unauthorized disclosure of the company’s confidential business information and customer data. In the event of unforeseen cyberattacks, the cybersecurity team will convene immediate technical exchanges and tactical meetings to analyze and review relevant responses and defense measures, constructing a comprehensive and synchronized defense network.
In addition to continuous improvement in our IT management, we are also gradually transferring our IT cybersecurity experiences to operational technology and initiating phased planning and implementation of cybersecurity assessments in the OT domain. Through assessments and testing conducted by external experts, potential cybersecurity threats and risks in the OT environment can be reduced. OT cybersecurity assessments were completed at 4 four facility sites in 2022.
In addition to managing operational risks from the perspective of corporate governance, we try to increase employees’ cybersecurity awareness and enhance organizational operational capabilities. All employees at ASEH must receive PIP cybersecurity educational training, including cybersecurity policy, cybersecurity management framework, cybersecurity control measures, etc. In 2022, a total of 53,991 individuals completed 40,019 hours of training courses. Additionally, occasional social engineering email drills were conducted to enhance employees' awareness of social engineering attacks through emails. We will gradually introduce systematic management mechanisms to incorporate participation in cybersecurity meetings, educational trainings, incident management, confidential file labeling, antivirus/software security, and other cybersecurity-related projects in a systematic manner. Monitoring and audits are conducted as an extension of our scope of management, and compliance is integrated into employee KPI to avoid penalties and legal liabilities, and impacts on business operations.
Increasing Cyber Resilience
There were no serious cybersecurity incidents in ASEH in the past three years. In addition to constructing a cybersecurity incident classification system and reporting/response procedures, we also conduct a cybersecurity incident drill annually to ensure fast responses in the event of incidents, reduce risks, and minimize the scope of damage. We also established the ASEH Information Security Management System incorporating cybersecurity information and cybersecurity incident reporting, to facilitate real-time acquisition, dissemination of cybersecurity information, and efficient handling of incident reporting. Our goal is to gain a comprehensive understanding of the risk landscape, enhance the response and defense capabilities, and establish a cross-functional collaborative defense mechanism. ASEH has also purchased cybersecurity insurance as a backup, enabling us to take immediate measures, reduce potential losses to the company, customers, and suppliers and restore normal business operations quickly.
We conduct an incident recovery drill every six months. The drill covers the organizational structure, scope, duration, critical information systems, participating units, participating personnel and their assigned tasks, backup personnel, implementation steps and processes of the drill, required resources, risk management during the drill, post-drill review and improvement processes, among others. The purpose is to ensure the company can leverage disaster response capabilities and disaster recovery mechanisms to quickly restore operations to a normal or acceptable level for the business, and ensure uninterrupted operation of critical information systems. The drill will continue to be implemented to provide maintenance, management, and training to ensure the effectiveness of the backup systems.
Information Security Information Exchange
ASEH maintains close communication with government authorities, domestic and international information security organizations and platforms. We have also contributed significantly to the drafting of SEMI E187 - Specification for Cybersecurity of Fab Equipment, Taiwan's first semiconductor wafer equipment information security standard. As we advance into industry 4.0, our competitive edge is built upon a robust and effective information security management framework that will safeguard the company’s interests and that of our business partners and stakeholders.
Supply Chain Cybersecurity Management
The digitization of the supply chain and the exchange of large volumes of data, have increased cybersecurity risks along the supply chain. In 2022, ASEH established the Supplier Cybersecurity Assessment System, which primarily focuses on critical suppliers and follows a four-step process –current situation, guidance for improvement, results confirmation, and follow-up evaluation. A total of 77 supplier cybersecurity assessments were conducted in the year, following. The scope of assessments will be gradually expanded and follow-up evaluations conducted every three years. We aim to construct a comprehensive cybersecurity management mechanism that provides stability for business operations, strengthens cybersecurity resilience, and raises the cybersecurity standards of the semiconductor industry.
Outcomes of cybersecurity measures in 2022
| Cybersecurity policies, organizations, and goals | Cybersecurity certification and maturity | Cybersecurity measures and protection |
|---|---|---|
|
|
|
